Enhancing User Empowerment and Safeguarding Against GenAI Data Loss

With the widespread availability of generative AI tools in late 2022, employees in various sectors quickly recognized the potential of these technologies to enhance productivity, streamline communication, and expedite workflows. Historically, innovations such as file sharing, cloud storage, and collaboration platforms have entered enterprises through grassroots efforts by employees rather than via official IT channels. The enthusiasm to leverage AI for smarter work processes resulted in a surge of unmonitored usage across organizations.

In response to the potential risk of sensitive data being exposed to public AI interfaces, many organizations resorted to blocking access to these tools. While this action may serve as a temporary defensive response, it fails to provide a sustainable solution and often proves ineffective in reality.

Shadow AI: The Unseen Risk

The analysis conducted by Zscaler’s ThreatLabz team indicates a significant increase in AI and machine learning traffic within enterprises. In 2024, ThreatLabz reported analyzing 36 times more traffic related to these technologies compared to the previous year, revealing the presence of over 800 different AI applications in active use.

Blocking unauthorized AI applications has not deterred employees from utilizing these tools; rather, they have adapted by emailing sensitive files to personal accounts, utilizing personal devices for work-related tasks, and capturing screenshots to interact with AI systems. These workarounds create an unseen risk termed “Shadow AI,” which eludes conventional enterprise monitoring and protection mechanisms. Consequently, organizations face growing vulnerabilities as they remain oblivious to these shadow practices.

Although blocking access to unapproved AI applications may lead to a deceptive perception of usage patterns on reporting dashboards, the truth remains that organizations are not effectively protected but simply unaware of ongoing activities.

Lessons From SaaS Adoption

This scenario mirrors previous challenges encountered during the early adoption of software as a service (SaaS) tools, where IT departments struggled to manage unsanctioned use of cloud-based applications. The solution did not reside in prohibiting file sharing, but rather in offering secure, user-friendly alternatives that fulfilled employee expectations for convenience and efficiency.

In the present context, the stakes are considerably higher. Data leakage resulting from SaaS typically involved mismanaged files, while AI poses a distinct risk of inadvertently exposing proprietary information when utilized through public models without the possibility of retrieval. Once sensitive data is integrated into a large language model, there is no mechanism for restoration.

Visibility First, Then Policy

For organizations to govern AI usage effectively, comprehensive visibility into these activities is paramount. Blocking traffic without transparency is akin to erecting a barrier without understanding property boundaries.

Zscaler’s positioning within network traffic flow provides a unique perspective, enabling the identification of accessed applications, user engagement levels, and frequency of use. This real-time visibility is vital for assessing risks, shaping policies, and promoting intelligent and secure AI integration.

In advancing policy frameworks, many providers offer simplistic “allow” or “block” options. A more sophisticated approach involves context-sensitive, policy-driven governance that aligns with zero-trust principles, where trust is not assumed and evaluations are continuous and contextual. Not all AI interactions present the same risk, and policies should be reflective of these differences.

For instance, cautiously granting access to an AI application for certain users or enabling transactions only in browser-isolation mode can mitigate risks, preventing the pasting of sensitive data. Conversely, guiding users towards corporate-approved alternatives that are managed on-premise allows employees to harness productivity benefits without jeopardizing data security. A secure and efficient method for using AI diminishes the necessity for employees to circumvent established protocols.

Additionally, Zscaler’s data protection solutions empower employees to engage with specific public AI applications while safeguarding sensitive information from unintended dissemination. Research indicates over 4 million data loss prevention (DLP) incidents within the Zscaler cloud, where intended transmissions of sensitive data, such as financial details, personally identifiable information, source code, and medical records to AI applications were successfully blocked by Zscaler policies. Without these DLP measures, organizations would have faced significant data exposures.

Balancing Enablement With Protection

Adopting generative AI should not be perceived as a challenge to security; instead, it should be approached with a focus on responsible implementation. Organizations have the opportunity to achieve both heightened productivity and enhanced protection through the right tools and mindset.